implementing VPN for remote users

I am looking for some advice. I have roughly 50 users that are remote, and use VPN to access the resources in my network such as file servers, application servers etc. We currently use Microsoft VPN to authenticate those users. It works, but I am not a fan on Microsoft VPN.

I have purchased an ASA5520 to replace my crappy layer 3 HP core backbone switch, and plan on replacing my Microsoft VPN with Cisco VPN. I want to configure my ASA so my remote users can continue to VPN into my network securely, but also want them to authenticate from their Active Directory credentials. Is this possible?

If authenticating to AD from Cisco is not traditional, and problematic, then I am open to suggestions. I do not have web licenses, only the Anyconnent.

Share:

Replies

Regarding the whole idea - you can, but you don't have to move away from MS VPN client - one of the modes - L2tp over IPsec is supported on ASA.

If that's not enough for some reason you have SSL VPN or IPsec VPN - in both cases I suggest looking at Anyconnect client. Old Cisco VPN client will be soon out of support - but is still working for the most part.

Thanks for the reply. I do have the Anyconnect client. How do I configure Anyconnect to LDAP? Not sure if I should use the GUI or command line. GUI seems more intuitive since I'm a step above a VPN novice. When I setup my SITE to SITE VPN between my building and another building, it really junked up my config.

Instead of the “IETF-Radius-Class” you would need to use “IETF-Radius-Filter-Id”.

Multiple attribute mapping is NOT supported by LDAP attribute map, it works on the first match !!!

I.e if the user is part of both the groups, the matching would be done based on the first match it would not check the next line. So if the user is part of both the groups it would be mapped only with the first ldap map configuration.

When the ASA performs an LDAP authentication request, the AD server will (if the authentication is successful) send back a number of attributes, one of which is the "memberOf" attribute which tells the ASA what AD group(s) the user is in.

What this does is create a mapping between the LDAP "memberOf" attribute and the ASA "IETF-Radius-Class" attribute (which indicates the group-policy to use). In the most recent ASA software versions, "IETF-Radius-Class" has been replaced with "Group-policy".

It also defines that the LDAP group "CN=VPNUSERS,OU=Users,DC=CISCOTEST,DC=COM" should be mapped to the group-policy "AllowVPN"

Thanks for info. I'll start digging in, and let you know how it works.

I checked the liceneses and applied them. I rebooted the ASA and strangly still doesnt enable the Anyconnect Essentials. ...see below: I will not read into it..I'll move forward with the rest of the instructions that you posted.